In message <[email protected]>, Florian Weimer writes: > * Mark Andrews: > > > In message <[email protected]>, Florian Weimer writes: > >> * Mark Andrews: > >> > >> >>> Another note is that the answer to the NS query, unlike the referra > l > >> >>> sent when the question is a full qname, is in the Answer section, n > ot > >> >>> in the Authoritative section. It has probably no practical > >> >>> consequences. > >> >> > >> >> Most resolvers do not make NS queries, and some authoritative servers > >> >> do not return useful data (or any data at all). So using NS queries > >> >> for zone cut discovery does not work reliably. > >> > > >> > Any resolver that is DNSSEC aware will make NS queries (whether > >> > validating or not). > >> > >> Really? Where is this mentioned in the protocol RFCs? > > > > RFC 3658 > > 2.2.1.2. Special processing when child and an ancestor share > > nameserver > > I think this section is about DS queries, not NS queries.
You need to discover where to send the DS queries. That means discovering the immediate parent zone cut. The usual and suggested way is to make NS queries with the left most label stripped. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
